USB PCAP Forensics: Graphics Tablet (NSEC CTF 2021 Writeup, Part 2/3)

Exploring the PCAP

As with last time, let’s do a bit of exploration to see what kind of data we’re dealing with. Obviously, it’s another USB PCAP. We have more packets (~4400) that span over ~60 seconds. Finally, we see that there are bytes in the “HID Data” column:

Extracting and understanding the data

Let’s use the same technique as with part 1. Simple and effective.

Cyberchef is ❤

Recovering what was written

For this part, I used the python-Pillow library to create an image from scratch. The code is pretty self-explanatory:

from PIL import Image

mouse_events = [(0x80, 0x01, 0xfd), (0x80, 0x01, 0xfe), ... (0x80, 0xff, 0xfa)]

# Make the image big because we don't know how long the message is
img ='RGB', (10000, 10000), color='white')
canvas = img.load()

# Start the cursor in the middle of the canvas
mouse_x = 5000
mouse_y = 5000

for data in mouse_events:
# Get the left mouse button status
left_button_pressed = data[0] & 0b00000001

# Get the mouse movement in x and y
x_offset = int.from_bytes(data[1:2], "big", signed=True)
y_offset = int.from_bytes(data[2:3], "big", signed=True)

mouse_x += x_offset
mouse_y += y_offset

if left_button_pressed:
# These two for loops are to make the pixels thicker
for i in range(5):
for j in range(5):
# Write a black pixel on the canvas
canvas[round(mouse_x) + i, round(mouse_y) + j] = (0, 0, 0)

# Save the image to disk"final.png")



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Émilio Gonzalez

Émilio Gonzalez


Blue team analyst in Quebec, Canada. Passionate about cybersecurity and urbanism. Twitter: @res260